I finished a 5 part series on how to run an e-mail server in 2022 with all the DKIM/SPF/DMARC stuff working. It's not a simple HOWTO series, but it does explain all the moving parts. So if you're interested to learn a bit about modern e-mail - you're welcome! Starts here:

Took me almost a month and was the direct result of me having to move my old server to a new hoster. I took it as an opportunity to modernise the whole setup, which was running since 8+ years more or less unchanged. Now it's up to 2022 level and is happily accepted by gmail etc as a legitimate source of e-mails :)

It's a really bare-bones setup. No webmail, no user databases, no nothing. Just the basics. A robust, lean and mean e-mail server that reliably manages mails for 20+ domains in a secure way. I understand every part of it and that was the goal :)

And as Murphy predicts, the #1 story on HN right now is to NOT run your own e-mail Server ;) I’m just so reliably counter-culture :)

@jwildeboer smtpd_tls_security_level = may seems to promote interoperability, but I'd be interested in your stats - when do you ever get a non TLS connection that contains legitimate email?

@yojimbo As I am subscribed to some very, very old e-mail lists - actually quite often.

@yojimbo @jwildeboer they may have fixed this now but I ran my mail with "require" for a few months and eventbrite emails (events I paid for tickets) not getting through were the thing that forced me to turn that off

Plus, you have the conviction and are sure you did everything right. #GoodFeeling

Now I have to check the settings on my servers first, then read your article and then Carlos'.

I like to laugh when others tell me it cannot be done and I can reply with "I have it working".
So do not worry it is not you ;-).

@ttyS1 I try to stick to "Keep calm, keep stuff working, share how you do it, listen to well-intended critics, learn, repeat" :)

@jwildeboer I run email (and Mastodon) via Yunohost on a laptop, and it does seem to work. However, I am far from understanding how everything works. It's the lazy man's solution, I guess. But it's still self-hosting.

@eivind Good stuff! And if you really want to dive deeper, I hope my little series helps you to take a look at /var/log/maillog and understand a bit better what it all means :)

@jwildeboer you don't have anything in here on spam filtering but presumably you still need that?

@ehashman Actually not :) I get very few spam e-mails, maybe 2 per week, with this setup. Mostly because I radically reject connections from IP addresses with no hostname. That seems to be quite effective.

@jwildeboer in my experience that both caused legitimate mail to fail to deliver (VIA rail) and didn't substantially reduce the spam I was receiving e.g. via open mailing lists

@ehashman @jwildeboer My strategy (if I might interject as a fellow "run my own mailserver because apparently I like pain) has been to use spamhaus' RBL. I used to use SPF checking and the hostname validation but those proved problematic or useless at best. Where this fell down recently for me was trying to get validation codes via email from my hospital.

Not saying this is perfect or even recommended but it's the one rule that has withstood the test of time on my system.

(Apologies for the drive-by tech support)

@craigmaloney @ehashman Yep, that's why I have


in my postfix config :)

@craigmaloney @ehashman But I also catch a lot these with hostname checking (note: I am friendly and send a bounce message back, just in case)

@jwildeboer @craigmaloney I also set these up, while it helps with spam, I still receive on the order of 40-100 spam emails per week, perhaps because my Debian email is public.

@jwildeboer @craigmaloney (the reason I asked is because I have a silly custom spam filtering solution that is neither milter nor spamassassin-based, but there is no way that running my own email, which I've done for about a decade now, would be usable without it)

@ehashman In my case it blocks around 200 connections/day and none of them have been legitimate senders. 95% are Chinese IP addresses, BTW. I like to read this, but the fact that this is a 5 part series is exactly why I do not host my own email.

@SuperDicq That's not the goal of the series. It's more a documentation of how modern e-mail works and as a result of understanding that, I was able to modernise my own server. You may learn some interesting things when reading, even if you don't plan to run your own server. Try part 1 - you may like my writing style and pick up some nice trivia on the way :)

@jwildeboer I started reading it and tomorrow will take some time to look deeper into it.

I really want to host my own email but like you, I will only do it if "understand every single step on the way".

Thank you so much for sharing. This 5 part series might be a great place to start :)

@masstransitkrow I’m not trying. I’ve been running my own Mail server since many, many years without problems. I just decided to update it to modern standards :)

@jwildeboer still looks great. I do like your suggestion on minimum ssl for Dovecot and just implemented it. I didn't divide my tutorial like yours - I just threw it together, and went back to update it when I discovered better configuration options.

I've been relaying for about a year and it's nice to see that your messages are reaching Outlook users, too. Allegedly they've been hard to reach.

I'd actually like your feedback on my tutorial:

@jwildeboer Hello, thank you for this, I just started reading.
It seems the CSS is missing, I got a 404 error while loading

@jwildeboer Hi Jan, just finished reading your piece - very interesting and thank you for sharing.
I am also running my own barebones mailserver since a number of years (opensmtpd on openbsd with dovecot) and haven't run into many issues with MSFT, Google and the like so far.

I have not used postfix too much but do I understand your setup correctly, that for every email alias you create, you also create a set of credentials in your dovecot for authentication? That means if you have 30 mail addresses you have to configure your IMAP clients with 30 different accounts to receive those mails? Or is it only about logging in as vmail and see all mails from the created subfolders?
I myself have a single local user with tons of aliases all forwarded to that user. Your setup would be a tad too involved in terms of creating aliases, which I do for every service I create a login for.

@lvdd_ I have maybe 5 "real" logins ATM. And yes, also a lot of aliases and forwarding. So it is quite manageable. But every account has its own maildir.

@jwildeboer Thanks for the quick feedback. That clarifies it for me.
I have to think about the "no local user" approach and how to adopt it for my setup as this makes a lot of sense to me.

@lvdd_ Any more questions - just ask! Or if you think I should change something - please share!

@jwildeboer Thanks for offering personal support - haha - just kidding.
I'm good, as I believe I have understood the setup and this might be the trigger for me to actually look into postfix, which is what I have an urge to do anyway. So far most guides and descriptions I read show elaborated setups with databases and antispam tools, which is way overboard for my use-case. I tried spamassassin and rspamd for a while until I realized that those weren't doing anything, they were just wasting cpu cycles.
I want something small and simple and your setup is a good example for that. I think I am going to use a couple of your ideas but will deviate to fit my needs.

However, I am in the camp of others here in the thread to not have good experience with checking dns names of sending systems. I had issues with a company I was in business with, that weren't able to send me emails because they had their systemname set differently than in their dns. I needed to receive their messages though, which is why I disabled that rule again. I believe this is more common than we think.

Minor nitpicking thing I saw in your dovecot part. chapter 10-ssl.conf says that postfix requires the dh.pem file. It should probably say dovecot needs this, right?


In /etc/opendkim.conf you have:
Socket inet:8891@localhost

Why open a inet socket if a file is enogh?

opendkim.conf(4) says for Selector:
"This parameter is ignored if a KeyTable is defined."

@jwildeboer I'm a bit puzzled by your TLS configuration; on the one hand, you accept unencrypted connections to postfix, on the other hand you insist on a recent enough version of TLS. The second part looks unnecessary and may reject some mail providers who still use TLS 1.0 (Orange France, I'm looking at you, at least as of a few months ago).

@nono it’s a bit of a compromise. I am subscribed to some very, very old mailing lists on servers that seemingly haven’t been touched for half my life, so unencrypted is unavoidable. OTOH I have not yet missed any legitimate e-mail with this TLS setup, but it works quite well to block a ton of automated probing scripts :)

Sign in to participate in the conversation

Mastodon instance for people with Wildeboer as their last name